Bug 187252

Summary: RFE: Add rekey support as soon as the vpnc rekey patch is accepted upstream
Product: [Fedora] Fedora Reporter: Patrick C. F. Ernzer <pcfe>
Component: NetworkManager-vpncAssignee: Christopher Aillon <caillon>
Status: CLOSED RAWHIDE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: medium    
Version: 5CC: caillon, davidz, dcantrell, dcbw, extras-qa
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2006-05-29 04:14:44 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Patrick C. F. Ernzer 2006-03-29 16:06:52 UTC 
Description of problem:
FC5 has the rekey patch applied to vpnc, it would be nice if NetworkManager-vpnc
supported this as well

Version-Release number of selected component (if applicable):
NetworkManager-vpnc-0.5.0-1
vpnc-0.3.3-7

Additional info:
Obviously, until such time that upstream accepts the rekey patch we cannot add
this as we do not know if the vpnc that NM-vpnc will access even supports the
option.
Comment 3 David Zeuthen 2006-03-29 16:48:50 UTC 
Passing the buck to Dan Williams
Comment 4 Jesse Keating 2006-03-29 18:37:16 UTC 
The real solution is to get upstream vpnc to turn on re-key by default, so that
we don't need an option in nm-vpnc.

But this does expose a greater problem.  With nm-vpnc there is no way to pass
custom options to the vpnc binary.  There should be a way to do this, perhaps
not exposed as much.
Comment 6 David Zeuthen 2006-03-30 15:14:48 UTC 
I don't really see a need to expose to the user whether rekeying is needed; it's
a dull implementation feature albeit an important one. 

So.. we don't want this neither in gconf (we don't want users to use
gconf-editor to modify existing connections) nor in the UI (it just doesn't make
sense in the UI). Please don't.

Suggest to make NM-vpnc accept a compile time option whether to pass the
rekeying option. Then we can pass this option to the NM-vpnc FE package and make
it pull in the right vpnc package that support rekeying.

There is really no need to make it more complicated.
Comment 7 Dan Williams 2006-03-30 15:41:47 UTC 
Hmm, the problem here is that I don't think vpnc knows about the rekey interval
from anything but the config file...  so if you want rekeying, you need to know
what the interval is, no?  We use 8 hours, but I've heard of one place that uses
15m intervals (crazy).

While the Cisco client appears to be able to automatically determine the rekey
interval, vpnc doesn't support that yet...
Comment 8 David Zeuthen 2006-03-30 16:06:24 UTC 
Oh my... so until vpnc gets this functionality suggest to just hardcode it at
say two hours just to pick a random number. I mean... it's not like NM-vpnc was
useful before to people that use 15m intervals as it didn't do rekeying before that.

How about that?

Some day, and that day may never come, vpnc can figure this out itself.

Ah, the joys of options - options are indeed evil :-)
Comment 9 Christopher Aillon 2006-04-04 19:16:19 UTC 
Hey hey hey.  I've got this under control.  :-)  I have a patch already which
I'm tuning.
Comment 10 Dan Williams 2006-05-29 04:14:44 UTC 
Patch is in Rawhide and CVS HEAD of NM.  Rekey is defaulted to 2 hours, and
users can modify it by adding the correct config magic to GConf.  There's no UI
for it though.